malwarewikiaorg-20200223-history
Giyotin
Giytin or Guillotine is a ransomware that runs on Microsoft Windows. It was discovered by Karsten Kahn. It is aimed at Turkish-speaking users. Payload Transmission Giyotin is distributed by hacking through an insecure RDP configuration, using email spam and malicious attachments, deceptive downloads, botnets, exploits, web injects, fake updates, repackaged and infected installers. Infection Giyotin runs on the victim's computer as 'MyRansom.exe,' making various changes to the victim's computer. Giyotin does not encrypt data on test machines, but it is likely that Giyotin follows in the pattern of LIGMA. It targets the user-generated files such as the ones below: .jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar. The files are made inaccessible so that a ransom payment can be demanded. Giyotin is threatening particularly because it seems to intend to compromise the infected computer's Master Boot Record, all in exchange for a ransom of about 60 USD to be paid using a cryptocurrency. Giyotin will demand a ransom payment after encrypting the victim's files and carrying out its attack. To do this, Giyotin delivers ransom notes in the form of text files and changing the infected computer's desktop image. The Giyotin Ransomware's ransom note, written in Turkish reads: OOPS, GİYOTİN FİDYE YAZILIMININ KURBANI OLDUNUZ Bilgisayarınız ve Tüm Önemli Dosyalarınız Şifrelendi. Dosyalarınızı Geri Alıp Bilgisayarınıza Tamamen Erişim Sağlayabilmek İçin Aşağıdaki Adımları Takip Edin 1-İnternet Üzerinden Herhangi Bir Website veya Server Yardımıyla Bİr Bitcoin Hesabı ve Cüzdanı Oluşturun 2-Bİtcoin Hesabınız Üzerinden Aşağıda Belirtilen Adreslerden Herhangi Birine 60$(Dolar) Değerinde Bitcoin Gönderin 3BsZcdJBLvLks7r5T2CfCEfSUJ3cQxA82 3JuU6UkwcYVGjHqxZnwpC8H3oE87DSSEDN 3-Ödeme İşleminden Sonra anony46NcRyptr708onion@protonmail.ch adresine "HACKED" Metni İçeren Bir Mesaj Bırakın ANCAK FAZLA ZAMANINIZ YOK 12 SAAT İÇERİSİNDE BU İŞLEMLERİ YAPMADIĞINIZ TAKDİRDE BİLGİSAYARINIZ KALICI OLARAK ÇÖKECEKTİR !!!! The above text into an English translation: OOPS, YOU ARE VICTIMS OF GUILLOTINE RANSOMWARE SOFTWARE Your Computer and All Your Important Files Are Encrypted. Follow the steps below to get your files back and recover complete access to your computer 1-Create a Bitcoin Account and Wallet with any Website or Server. Help over the Internet 2-Send $60 (Dollar) worth of Bitcoin to any of the addresses listed below 3bszcdjblvlks7r5t2cfcefsuj3cqxa82 3juu6ukwcyvgjhqxznwpc8h3oe87dssedn 3-After Payment, Leave a Message containing "HACKED" Text to anony46NcRyptr708onion@protonmail.ch BUT IF YOU DO NOT PAY IN 12 HOURS, YOU WILL NOT BE ABLE TO RESTORE YOUR COMPUTER PERMANENTLY !!!! Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan Category:Assembly